topic ISE as a hosted NAC solution in Network Access Control

ISE as a hosted NAC solution

AMNassiri0210 — Mon, 14 Oct 2019 05:37:07 GMT

Hi All,

I have come across a distributed ISE design where the ISE deployment is provided as a hosted NAC solution for a client.

Question is, the ISE servers will have a FQDN from the host company but the certificates issued by the customer's CA will have their DNS/Domain appended to it. How would ISE will match this certificate and accepts it.

As far as I know ISE will look into the SAN extension of the Cert and if the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node.

In this case the SAN extension within the certificate will only have the customer DNS details and not the host company.

How would we get around this.

Thanks.

Re: ISE as a hosted NAC solution

Mohammed al Baqari — Mon, 14 Oct 2019 09:54:52 GMT

Depends on what are you using the certificate for. If its for EAP
communication, its not necessary to have the fqdn in the cn or alternative
domains. But if you are using it for administration login then (admin or
guest portal) then its a must to avoid certs errors. So it depends on the
use of the cert

**** remember to rate useful posts

Re: ISE as a hosted NAC solution

AMNassiri0210 — Mon, 14 Oct 2019 22:59:01 GMT

Thanks Mohammed,

The cert will be used for EAP-TLS and Portals (Guest, BYOD, Sponsor, Self-Registered Guest).

How do we go around this for the portals then?

The way I have done the CSR in the past with on-premise deployment (customer owned and managed ISE solution) is like:

CN=CompanyA-ISE

SAN = DNS name - ISE1.company1.local
SAN = DNS name - ISE2.company1.local
SAN = IP Address 10.x.x.1
SAN = IP Address 10.x.x.2

Now the CSR with the managed solution will have the DNS entry of the host-company and not customer's, I do not know how this would work?

Is there anything the customer can do on their infrastructure like within the CA to include the host company's DNS details etc.?

Appreciate any input.

Thanks.

Re: ISE as a hosted NAC solution

Jason Kunst — Fri, 25 Oct 2019 11:12:05 GMT

Here is info on ISE certificates, ISE will need to have the correct FQDN and/or IP addresses for correct DNS resolution. its not meant to deploy for hosted solution but perhaps you could setup a portal for different customers and under each portal create a different certificate? and separate certificate per PSN?
Look at Certificate group tag, use one per customer and per portal?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#task_9232D7F51A5241D28DA88F123CB63EED

The certificate is assigned under the portal settings. you could do a different

some other info

https://cs.co/ise-guides
https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-1853178353

Re: ISE as a hosted NAC solution

AMNassiri0210 — Thu, 31 Oct 2019 02:35:37 GMT

Hi Jason,

Thanks for your reply.

ISE is being hosted for only a single client, I should have worded it correctly my apologies. It is managed by a third party in their network for this client.

So that is why the DNS and FQDN questions arised, whose to use.

We are trying to add the DNS entries of the the managed services team into clients domain (which is again managed by a third party) so ISE can resolve it. This is work in progress and I will keep you posted.

Thanks again for your time and the links attached.